If you find any bugs with this release let me know. I plan to release 1.0 in the next couple of weeks.

3rd October 2008 - Version 0.12 is now available

Command line interface added

Fixed a bug that caused the "User Agent" to not get set when adding custom headers

Updated all api's used

22th August 2008 - Mac dmg for 0.11.1 is now available

A Mac package for version is available, big thanks to Richard Dean for this.

20th August 2008 - Version 0.11.1 is now available

Fixed a bug that caused the check for updates not to work correctly

20th August 2008 - Version 0.11 is now available

Added a windows installer

Added more content to the help section, but it's not finished yet.

Improved the way in which DirBuster handles inconsistent fail codes

Fixed a bug that caused deadlock due to all the parsing threads exiting

Tweaked the content analysis code to reduce false positives, when DirBuster is using that mode

Added code to make sure it display correctly on Vista

Fixed a bug that caused files found to not be shown in the report

Slight tweak to worker to improve performance

Fixed a couple of points within the GUI, and spelling mistakes.

Overview

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)

What DirBuster can do for you

Attempt to find hidden pages/directories and directories with a web application, thus giving a another attack vector (For example. Finding an unlinked to administration page).

What DirBuster will not do for you

Exploit anything it finds. This is not the purpose of DirBuster. DirBuster sole job is to find other possible attack vectors.

How does DirBuster help in the building of secure applications?

By finding content on the web server or within the application that is not required.

By helping developers understand that by simply not linking to a page does not mean it can not be accessed.

Project Goals

To produce a tool to that will assist in black box application testing, by trying to find hidden content.

Ensure the tool produced provides information is such a way that any false positives produce can be quickly identified.

Produce text based lists that can be used by the above mentioned tool.

Features

DirBuster provides the following features:

Multi threaded has been recorded at over 6000 requests/sec

Works over both http and https

Scan for both directory and files

Will recursively scan deeper into directories it finds

Able to perform a list based or pure brute force scan

DirBuster can be started on any directory

Custom HTTP headers can be added

Proxy support

Auto switching between HEAD and GET requests

Content analysis mode when failed attempts come back as 200

Custom file extensions can be used

Performance can be adjusted while the program in running

Supports Basic, Digest and NTLM auth

Command line * GUI interface

DirBuster Lists

DirBuster comes with a set of unique directory and files lists, these have been generated based on the file and directory names that are actually used by developers on internet sites. The order of the lists is based on the frequency of the item found. Therefore the most common items appear at the top. These lists are what make DirBuster.

NOTE: It will come as no surprise to you all that the internet is full of porn, thus it not surprising that the spider used to generate the lists visited a few along the way. Thus there are explicit words contained within the lists. My stand point on this is simple, this tool was designed to used as part of legitimate security testing, and if there are directories/files based on explicit words, clients would want to know!!

The following lists are included with DirBuster, or as a separate download:

directory-list-2.3-small.txt - (87650 words) - Directories/files that where found on at least 3 different hosts

directory-list-2.3-medium.txt - (220546 words) - Directories/files that where found on at least 2 different hosts

directory-list-2.3-big.txt - (1273819 words) - All directories/files that where found

Other Projects Using DirBuster Lists

Feedback and Participation

We hope you find the OWASP DirBuster Project useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to DirBuster@sittinglittleduck.com. To join the OWASP DirBuster Project mailing list or view the archives, please visit the subscription page.